Hello,
In the Splunk GUI/Interface, I filter into the following commands to remove some unwanted data from being displayed:
| rex mode=sed field=_raw "s/ example: .+?( from |$)/ example: select from /g"
| rex mode=sed field=_raw "s/ in \(.+?\) / in (...) /g"
How would I apply this to props.conf in my forwarder (or is there a better option i.e. transforms.conf)? I tried the following but did not seem to work for me.
[XX]
SEDCMD-first = s/ example: .+?( from |$)/ example: select from /g
SEDCMD-second = s/ in \(.+?\) / in (...) /g
force_local_processing = true
Hi @irwinj_125,
It is better doing these replacements on your indexers without force_local_processing=true.
Thanks!
Yes my goal here is just to get the SEDCMD working, if I can do that I will disable local processing and set up on the indexer instead. Doing this locally allows me to test without having to re-start the indexer, which would affect all my forwarders (at least that's my thinking).